A senior Microsoft executive has promised that its new operating system will be more secure than ever. Jean-Philippe Courtois, president of Microsoft International, said that beefing-up security was one reason behind delays to Windows Vista. Microsoft has been criticised for flaws in previous systems that left users vulnerable to attacks by hackers. Mr Courtois said Microsoft had done "tons of work to make Vista a fantastic experience when it comes to security".

While I won't debate that it will be a better setup by default, there's a big mistake that they've been doing all over Vista... rewritting things from the ground up. there is an article (here: http://www.osnews.com/story.php?news_id=15399) that details the security holes in the networking stack. That alone is going to kill it's security.

Here's another problem with Security in Vista: UAC. Frankly that solution has only made things worse, not better. Why? Well, no one pays attention to an alarm that goes off every ten minutes.... And UAC is going to be so much a part of the user's experiance that they will ignore it, and always allow everything through... or worse, disable it. That's BAD from a security standpoint.

Something I would love to see Windows bring in some honest to goodness security guys (like this guy: http://www.schneier.com/blog/) to evaluate, and help design their systems. Ah, well, they'd just be told to do it like unix does things anyway. Oh well.

While I won't debate that it will be a better setup by default, there's a big mistake that they've been doing all over Vista... rewritting things from the ground up. there is an article (here: http://www.osnews.com/story.php?news_id=15399) that details the security holes in the networking stack. That alone is going to kill it's security.

Those holes were identified and fixed by Microsoft before they were even publicized. If you examine what the new stack brings to the table, you'd realize the rewrite was warranted.

Here's another problem with Security in Vista: UAC. Frankly that solution has only made things worse, not better. Why? Well, no one pays attention to an alarm that goes off every ten minutes.... And UAC is going to be so much a part of the user's experiance that they will ignore it, and always allow everything through... or worse, disable it. That's BAD from a security standpoint.

Most complaints about UAC are from pre-RC builds, and mainly from power users more likely to perform admin tasks more frequently than average end-users. Many complaints also stem from a lack of understanding of permissions. One of the more common complaints I've seen about UAC is not being able to perform file operations on secondary harddrives without being prompted. The simple fix for this is to enable Write permissions on the drive for standard users, but power users that don't really know what they're doing choose the sledgehammer approach of disabling UAC altogether. UAC isn't the problem. People resisting the transition from running as admin full-time to running as standard user most of the time is the problem.

Something I would love to see Windows bring in some honest to goodness security guys (like this guy: http://www.schneier.com/blog/) to evaluate, and help design their systems.

http://blogs.msdn.com/michael_howard
is the guy you're looking for, and he's by far not the only security guy at Microsoft. They also have partnerships with several external security firms.

Ah, well, they'd just be told to do it like unix does things anyway. Oh well.

1. As for the fresh new code,you have to remember that they've been testing their stuff quite vigorously, so the jury is still out on this one.

2. Unix-esque security is definitely not the ultimate security scheme against modern attacks targeted at home computers. These attacks don't try to harm the system, but instead simply want to run on it and exploit its resources or display advertisements to the user. These activities don't require root access, they just require one security hole in any app the user runs.